Two-Thirds of Management Don’t Know Where Their Data Is

According to a report by data systems management provider Varonis Systems, more than two-thirds of the respondents to a recent survey indicate that their senior management has little or no idea where their company data resides.

"67% of respondents say that senior management in their organizations either don’t know where all company data resides or are not sure," the company revealed in a recent press release.

The survey was conducted during the EMC World event, and includes data from more than 400 enterprises.

The majority of companies surveyed also indicate they have no systems in place to account for which corporate files reside in systems managed by third-party service providers.

"With Bring Your Own Device (BYOD) – particularly mobile and tablet devices – and file synch services booming, companies are open to a wave of potential devastation. Files kept on third party cloud services can be lost, misplaced, accessed by unauthorized people or leave the company with the employee, causing data privacy and compliance issues," Varonis reports.

The survey also reveals that less than ten percent of the companies surveyed have procedures in place to control access to data stored in the cloud, while one in four companies indicate they are in the process of developing policies to govern data access.

"Alarmingly, of those that are allowing cloud-based file synchronization services, only 9% of respondents’ companies have a process for authorizing and reviewing access to cloud repositories in place, with another 23% still developing their access policies," Varonis said.

“The results clearly show a lack of control by those organizations that have adopted cloud file sync services”, said David Gibson, VP of Strategy at Varonis.

The majority of companies surveyed are operating with little or no formal controls over access to potentially sensitive data.

"The remaining 68% either have no plans in place that they are aware of, or live without formal processes for granting and reviewing access. Without control over access, or knowledge of where potentially sensitive organizational data resides, data is virtually ‘up for grabs’," the company reports.

More than three-quarters of the respondents indicate they would prefer to implement existing permissions structures for access control if it would provide the opportunity for the level of collaboration cloud services can offer, and over half would be willing to allow BOYD if secure access protocols did not inhibit collaboration.

“The most disturbing findings were the number of companies that report they have no way to track what data is being stored in the cloud, no process to manage access to that data (or plans to do so), and that management doesn’t know where enterprise data is stored. This should act as a wakeup call for organizations to develop a conscious strategy to ensure secure collaboration as quickly as possible,” Gibson continued.

Gibson’s tips for secure collaboration include:

Create an inventory of your most used collaboration platforms to get an overview where data lives, who has access to it, and who is using it.

Identify data owners for each data set and have owners perform a preliminary entitlement review to see if data is stored in the right place and if the right people have access to it.

Remediate any exposures, such as data that is accessible to too many people or regulated/sensitive content that is stored in the wrong place.

Monitor access to all data – this will help easily identity data owners and identify unused data and abuse.

Put a process into place that provides secure collaboration for remote employees – including synchronization, mobile device support and extranet functionality – that works within the existing enterprise servers and infrastructure.

David Dennis
We could attribute this to general cluelessness on the part of business leaders, but that's not necessarily the case. The main drivers for technology adoption over the last 10+ years have been:

Technology gets adopted when the battle for ROI is won. So far, security hasn't been able to win that one. While it's hard to justify cost avoidance and missed business opportunity, it's not impossible. Processes like TQM and Six Sigma are basically cost avoidance disciplines and they are adopted because they can demonstrate that eliminating defects can lower production costs, speed delivery, and increase customer satisfaction. Until security practitioners can demonstrate that kind of a case for business, the only customers they will retain are the scared ones.

1340652361

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.